Just when you thought news about Zoom, the now massively popular video conferencing app, couldn’t get worse, it does. At least this time, it’s not the fault of the company itself but rather crafty cybercriminals.

Abnormal Security reports that there is a new wave of Zoom phishing attacks impacting around 50,000 email inboxes so far. The phony emails look like legitimate invitations to join a meeting with regard to the recipient’s supposed termination. The invitation link directs victims to a phishing page where the user is asked for their log-in credentials. Any information entered then gets sent directly to the attacker.

What do you do when one of your well-performing employees routinely falls for phishing attacks? On the whole, the person is a great employee, but when it comes to acting with caution, they fail. If you’ve made a point to prioritize staff training regarding phishing attacks, and they aren't following protocol, do you replace the employee?

In the late 1970s and early 1980s, Bell telephone companies were making a mint off of offering the ability to call your friends and family that lived outside your predefined region, charging up to $2 per minute (during peak hours) for long-distance calls. The problem for many people was that these regions kept shrinking. Some people decided to combat this costly system by reverse-engineering the system of tones used to route long-distance calls, thus routing their calls without the massive per-minute charges demanded by long-distance providers. These people were called Phreakers, and they were, in effect, the first hackers.

Cut to the modern-day, most domestic long-distance telephone calls are free relegating Phreakers to the annals of history. Hackers today thrive in digital environments, using tools and strategies that the average person has no idea about to get access to data. Why would they want data?

What Motivates Hackers?

Of course, the motivation varies from hacker to hacker, but there are only a few things they can come away with. They can come out of a successful hack with leverage over a computing system in multiple ways, they occasionally can steal money, but most of today’s hackers are looking for data to mine. This is because the insatiable need (and abundance) of data can fetch a savvy hacker a pretty penny on the dark web.

No matter what their motivation is, to successfully hack a computing system, they need access. The network security tools that most businesses have in place, if properly updated, is typically enough to keep hackers out of your network. This reality has spiked the popularity of social engineering attacks such as phishing. If they can’t get into your network and infrastructure though software or through straight network hacks, they need to gain access through deception.

What Exactly is Phishing?

Phishing is exactly what the name implies. You bait a hook (of sorts) by way of messages directly to end-users. This can be through any communications method available. Email phishing is the most prevalent for businesses, but phishing attempts through the telephone, social media accounts, and even instant messaging services have grown in popularity.

The phishing message will either lead you to a fake page that will collect personal information, or in the form of an attachment that will download malware on a system. Once the malware is in, it will immediately find credentials and other noteworthy data, and in a couple mouse clicks, your company’s network and infrastructure are exposed.

Some real nasty strains of malware (called ransomware) will encrypt your system files and then provide you with a message effectively holding your system’s (or worse yet, your business’) data for ransom. Failure to pay in the time provided will erase all the data and cause irreparable harm to your business.

Training Your Employees

Kaspersky Lab said that they detected 482.5 million phishing redirects in total in 2018, effectively doubling the amount found in 2017. That’s a dubious trend that doesn’t seem to be altering course any time soon. As a result, training your employees in how phishing attacks are successful is imperative. How you go about successfully doing that, and how you keep them up to date on what threats are currently making problems for people can be difficult.

Some suggest that embedded training, that is the training done in the normal course of business, is completely ineffective at mitigating phishing attacks. While it is our position that any training is better than no training, we suggest that the best type of training for your employees isn’t by looking to see how they would react, but proactive training. That is heightening their awareness to the threats that are out there. Phishing, in particular, is a hack that many people are exposed to daily, so there are some very specific things that they should get to understand to be better prepared if they do encounter a phishing attack. They include:

What Phishing Is- Clearly define what phishing is and what forms of phishing they will likely come across.

What Email Address Spoofing Is- The way we like to explain it is it’s like robocalls that look like they are coming from a local number, but when you answer it is a party on the other end just spoofing local numbers. It’s easy to spoof email addresses in the same way.

Phishing Subject Lines are Typically Aggressive- Whether they are enticing or threatening, phishing email subject lines almost always stand out. Once opened they typically continue that tone, manipulating users into making mistakes.

Phishing Isn’t Always Obvious- Today, there are spear-phishing tactics that use publicly-available information to target individuals within your company, such as making the email seem like it’s from your boss.

Phishing Uses Links and Attachments- Typically, just opening a phishing email won’t hurt you. It’s when you click on a link inside the phishing email/message or go to download an attachment from the email that you are in serious trouble. Teaching your staff to be wary of any attachment or link that they don’t know is important.

These are just the basics. Phishing can completely devastate your business, so if you are looking to put together a comprehensive training plan for your staff, reach out to the IT professionals at Machado Consulting. We can help you come up with a plan to get your staff the knowledge they need to keep your business safe and running efficiently. To learn more call us today at (508) 453-4700.

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

Phishing attacks have been in the social consciousness now for a while, and for good reason: it is the predominant way that hackers gain access to secured networks and data. Unfortunately, awareness of an issue doesn’t always result in preventing attacks. In this case, hackers get more aggressive, and by blanketing everyone under a seemingly limitless phishing net, 57 billion phishing emails go out every year. If a fraction of those emails accomplish their intended goal, the hackers on the other end of them really make out.

Phishing attacks attempt to coerce information from users. They are especially sinister because they use personalized messages to target specific users or businesses. Unlike spam emails, which are typically generic in nature, phishing attacks can yield major results because messages are so convincing.

Phishing is BIG business! With a review of the year’s most clicked subject lines, we looked for trends that could easily be identified. The five subject line categories that appeared quarter-over-quarter related to: deliveries, passwords. company policies, vacation, and IT Department (in the wild) emails.

Some of the most common 'In the Wild' attacks in this period were:

Apple: You recently requested a password reset for your Apple ID

Sharepoint: You Have Received 2 New Fax Messages

Docusign: You've received a Document for Signature

ZipRecruiter: ZipRecruiter Account Suspended

IT System Support

Amazon: Your Order Summary

Office 365: Suspicious Activity Report

Here’s a look at the Top 10 Most-Clicked General Email Subjects in Q4 2018:

Be sure to protect yourself by double checking the sender’s name, full email address and URLs. You should suspect malicious intent if the sender is asking for any personal information or money, also, if there are spelling mistakes or a strong sense of urgency to respond, you are likely the almost-victim of a phishing scam. Don’t give them any information and make sure you mark the email as spam. If you have any questions or suspicions about an email you receive, feel free to contact us.

For a full infographic on these most common phishing attempts, click here.

Email is a core component of any business. 124.5 billion business emails are sent and received each day. That's a massive amount of communication and can be a wide-open door to security threats. Are the emails that are coming and going from your business secure? In order to keep your email security at a premium, we have outlined the following tips:

Spam is a major hindrance when running a business that relies on email, but it’s easy to protect your employee’s time from the average spam messages with the right technological support. Unfortunately, hackers have adapted to this change and made it more difficult to identify scam emails. More specifically, they have turned to customizing their spam messages to hit specific individuals within organizations.

Chances are, you’ve heard of phishing before--emails that promise some benefit or prize if you only click on the included link, that actually only results in trouble for you and your data. Unfortunately, as technology has embraced mobility, so have phishing attempts. This is why you must also be aware of SMiShing scams.

Over the weekend we’ve seen Hurricane Harvey hit the Gulf of Texas, especially Houston, where many of Americans are in need of help. Naturally, we all want to do what we can in donating to charities directly affecting the well-being of those affected. Unfortunately, we also have to be aware of the scammers of the world looking to make a quick buck off those generous enough to donate.

Phishing attacks have been around for decades, first being recorded in 1995 where scammers would pose as AOL employees and request a user’s billing information through instant messages. Nowadays, email phishing attempts have tricked users into handing over personal information of all kinds. There are many methods of identifying a phishing attempt, but today we’ll focus on one.

An unfortunate fact about the modern business world is that any organization that utilizes technology is playing with fire. Cyber attacks can circumvent even the most well-protected networks through the company’s users. This is, unfortunately, something that business owners often don’t learn until they’re on the receiving end of an attack; just like the two companies that fell victim to phishing attempts that were supposedly operated by Evaldas Rimasauskas, a Lithuanian hacker who has been accused of stealing $100 million from them.

The FBI and IRS have repeatedly warned the public about W-2 phishing scams, and that number has significantly increased this year. W-2 scams are hitting everywhere, even a Cybersecurity Contractor was hit with one of these!